Security gaps found in massive visa database

Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.

Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added.

“We are, and have been, working continuously ... to detect and close any possible vulnerability,” State Department spokesman John Kirby said in a statement. After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.

As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.

Those records could be a treasure trove for criminals looking to steal victims’ identities or access private accounts. But “more dire” and “grave,” according to several sources, was the prospect of adversaries potentially altering records that help determine whether a visa or passport application is approved. “Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.

Last year alone, the State Department received -– and denied –- visa applications from more than 2,200 people with a “suspected connection to terrorism,” a senior Homeland Security Investigations official, Lev Kubiak, told lawmakers last month. One official associated with State Department efforts to address the vulnerabilities said a “coordinated mitigation plan” has already “remediated” the visa-related gaps, and further steps continue with “appropriate [speed] and precision.”

“[We] view this issue in the lowest threat category,” the official said, noting that any online system suffers from vulnerabilities. But speaking on the condition of anonymity, some government sources with insight into the matter were skeptical that CCD’s security gaps have actually been resolved.

“Vulnerabilities have not all been fixed,” and “there is no defined timeline for closing [them] out,” according to a congressional source informed of the matter. “I know the vulnerabilities discovered deserve a pretty darn quick [remedy],” but it took senior State Department officials months to start addressing the key issues, warned another concerned government source.

Despite repeated requests for official responses, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.

Nevertheless, many State Department officials questioned whether terrorists or other adversaries would have the capabilities to access and successfully exploit CCD data -- even if the security gaps were still open.

CCD allows authorized users to submit notes and recommendations directly into applicants’ files. But to alter visa applications or other visa-related information, hackers would have to obtain “the right level of permissions” within the system -– no easy task, according to State Department officials.

There is also continuous oversight of the database and a series of other “fail-safes” built into the process, including rigorous in-person interviews and additional background checks, the officials said. Kirby, the spokesman, described any recent security-related findings as a product of his department’s “routine monitoring and testing of systems” to “identify and remediate vulnerabilities before they can be exploited.”

State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.

Without getting into specifics, sources said the vulnerabilities identified several months ago stem from aging “legacy” computer systems that comprise CCD. “Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011. The database’s software and infrastructure will be overhauled in the years ahead, according to the State Department.